Facebook profile viewer scams circulate, install suspicious extensions to mess with Firefox and Chrome


Facebook profile viewerThreatTrack security researcher Chris Boyd (aka “Paperghost”) has detailed the latest in a growing number of attacks posing as “Facebook Profile Viewer” applications, but which actually aim to make sinister changes to victims’ web browsers.

In a blog post Boyd explains how he came across a webpage on Tumblr with a name which suggested it could provide free lives for the famously addictive Candy Crush Saga Facebook game.

However, as you can see below, the webpage seems much more interested in encouraging you to find out who has been viewing your Facebook profile than improving your candy-matching skills:


The fake Profile Viewer promotion encourages users to delve further, with the following instructions:

To activate your Profile Viewer… follow the simple instructions below.

Step 1: Click Scan button.
Step 2: Click download file ProfileViewersSetup.exe and click yes when prompted to start scanning who viewed your profile.
Step 3: Once you click yes the results will be available to you.

Sure enough, if you click the scan button you begin to download a Windows executable program called ProfileViewersSetup.exe. I tried downloading the program on a Mac computer, and it was proactively identified by Sophos as Mal/Generic-S.

Malicious threat detected

Boyd reports that ThreatTrack’s VIPRE product detects the file as Trojan.Win32.Clicker!BT.

But what if you weren’t running an anti-virus program capable of intercepting this malware? What would happen then?

Well, if you download and run the executable on a Windows computer, a new .xpi extension called “WhoViewS 5.2″ will be installed into your Firefox browser. Suspiciously, the extension gives its homepage as microsoft.com and uses an Adobe Flash logo as its avatar.


Boyd says that he and his fellow researchers at ThreatTrack are continuing to analyse the purpose of this extension, but it’s clear that it’s intentions are not good. In the past rogue Firefox extensions have been seen that interfere with your search settings, display pop-up advertising, redirect browsers to webpages that earn cybercriminals affiliate cash and so forth.

Indeed, if you’re not using Firefox on your computer but are a Chrome-lover instead you will find your preferred browser has started redirecting you to pages that ask you to complete surveys - again, with the intention of earning money for the scammers.

I’ve said it before, and I’ll say it again. There is *no* way that you can find out who has been looking at your Facebook profile. So putting your personal computer and data at risk by hunting for a solution.

If you want to learn more about the latest Facebook scams, and ways to protect yourself online, like the Graham Cluley Security News Facebook page.

Tags: , , , , , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , , , , , ,

One Response

  1. spryte

    July 4, 2013 at 2:48 pm #

    Is that just chrome?
    Or all chromium browsers?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.